diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
index 6f5cdd56003..cc83ae32312 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
@@ -525,6 +525,20 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
 	}
 	switch (reg_cfg_cmd->cmd_type) {
 	case VFE_WRITE: {
+		if (reg_cfg_cmd->u.rw_info.reg_offset <
+			resource_size(vfe_dev->vfe_mem)) {
+			uint32_t diff = 0;
+			diff = resource_size(vfe_dev->vfe_mem) -
+				reg_cfg_cmd->u.rw_info.reg_offset;
+			if (diff < reg_cfg_cmd->u.rw_info.len) {
+				pr_err("%s: VFE_WRITE: Invalid length\n",
+					__func__);
+				return -EINVAL;
+			}
+		} else {
+			pr_err("%s: VFE_WRITE: Invalid length\n", __func__);
+			return -EINVAL;
+		}
 		if (resource_size(vfe_dev->vfe_mem) <
 			(reg_cfg_cmd->u.rw_info.reg_offset +
 			reg_cfg_cmd->u.rw_info.len)) {